Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help with desegmentation issue

From: wsgd <wsgd () free fr>
Date: Wed, 16 Dec 2009 18:37:47 +0100
Jarolin, Robert a écrit :


I discovered what the problem was with the dissection.
It turns out that "tcp_dissect_pdus" does not work properly if the 
packet(s) have "TCP CHECKSUM INCORRECT"

I took the data (4 packets) that had the data segmented and rebuilt 
the packet header data including the TCP header using text2pcap.

When I tried to dissect these packets (that now had proper TCP 
checksums), my dissector correctly desegmented the data.
I then edited the packets to just change the TCP checksum and tried 
again.  The packets can no longer be desegmented.


This is the normal wireshark behavior.


Any ideas what to do about this issue?


Turn off "Validate the TCP checksum ..." into Edit / Preferences / 
Protocols / TCP.

Olivier


Thanks.

See my original message below:

vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv


I have a dissector that uses tcp_dissect_pdus that does not seem to be 
doing the job.  Please help.
I have a dump that contains 4 TCP packets that are all related to the 
same message (a total of 4428 bytes).
The first 3 packets are a length of 1460 bytes and the last 48 bytes 
=> 1460 * 3 + 48 = 4428
When dissection takes place, the desegmentation does not seem to 
properly occur.

Under the TCP portion of the dissection it properly says:
  [PDU Size: 4428]
But the data available for dissection is only the size of the first 
packet (1460)

What I am doing wrong?  Thanks for any help.

Below are excerpts from my dissector:

#define FRAME_HEADER_LEN 4

*static void*
*dissect_myproto_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree 
*tree)*
{
  /* Check that there's enough data */
  total_len = tvb_length(tvb);
  printf("Total_len = %u\n", total_len);  //* THIS prints 1460*
.
// Dissect my data
.
}

*static guint*
*get_myproto_message_len(packet_info *pinfo, tvbuff_t *tvb, int offset)*
{
  guint length = 0;

  // myproto message (length is 2 bytes starting at offset 0 * 4)
  length = (guint) ( tvb_get_ntohs( tvb, offset ) * 4 ); // Get the 
length

  printf("TOTAL of mesage = %u\n", length);  //* This prints 4428*
  return length;
}


/* Code to actually dissect the packets */
*static void*
*dissect_myproto(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)*
{
  tcp_dissect_pdus(tvb, pinfo, tree, TRUE, FRAME_HEADER_LEN,
      get_myproto_message_len, dissect_myproto_message);
}


Confidentiality Notice: This e-mail (including any attachments) is 
intended only for the recipients named above. It may contain 
confidential or privileged information and should not be read, copied 
or otherwise used by any other person. If you are not a named 
recipient, please notify the sender of that fact and delete the e-mail 
from your system.
------------------------------------------------------------------------

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: